Date: Mon, 12 Mar 2007 14:34:08 -0700 From: Han Hwei Woo <hhw@pce-net.com> To: Alexandre Biancalana <ale@seudns.net> Cc: freebsd-net@freebsd.org Subject: Re: PF route-to behavior Message-ID: <45F5C750.4000804@pce-net.com> In-Reply-To: <45F564B5.10307@seudns.net> References: <45F564B5.10307@seudns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Just to be certain, are you aware that for PF, the last matching rule is applied? Also, you can use the command: # pfctl -vv -sr to examine how your rules are being matched. Cheers, Han Alexandre Biancalana wrote: > Hi List, > > > I´m doing a firewall setup using 6-STABLE + PF with two internet links > but I can't do the route-to rule function as I need. > > > (default gw) ______ > Link A <-----------> |int A | > | | > Link B <-----------> |int B | > |______| > FreeBSD FW > > A simple thing that I need to do is test the two Internet links to > know if they are up or not. To do this I could ping or connect tcp > ports on some external ips thought each link, using nc and hping I > tried do this generate connections/packets from each network interface > connected to each link but the packets always go out by the interface > indicated by machines default route. > > I tried to add this rules in pf to force packets out by the right > interface based in your source address, but this does not work, and > the packets generated with ip of int B are going out by int A. > > pass out log on $int_a route-to ( $int_b $int_b_gw ) from $int_b to any > pass out log on $int_b route-to ( $int_a $int_a_gw ) from $int_a to any > > > Am I forgetting something ? Any comments ? > > > Regards, > > Alexandre > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45F5C750.4000804>